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Claims 

1. Mechanism for securing data access of a first subscriber 
5 (11) or a plurality of subscribers (12... 14), which are 

arranged in a first subnetwork (20) of an automation network 
(1) , to a second subscriber (15) or a plurality of subscribers 
(10, 11), which are arranged in a second subnetwork of the 
automation network (1), comprising at least one so-called 

10 secure switch (16, 24, 26), which is connected upstream of the 
first subscriber (11) or subscribers (12... 14) of the first 
subnetwork (20) , for establishing what is known as a tunnel 
(29, 30) to the second subscriber (15) or subscribers (10, 11) 
of the second subnetwork, by which data can be securely 

15 transmitted via an insecure network, wherein the secure switch 
(16, 24, 26) establishes the tunnel in a substitutional manner 
for the first subscriber (11) or in a substitutional manner for 
the subscribers (12... 14) of the first subnetwork (20) and 
allocates the tunnel to the subscriber or subscribers by. using 

20 the respective subscriber address. 

2. Mechanism according to claim 1, characterized in that a 
configuration tool (11) is provided for configuring the 
automation network (1) , by which parameter data of the secure 

25 switch (16, 24, 26) can automatically be generated and 
transmitted to the secure switch. 

3. Mechanism according to either claim 1 or claim 2, 
characterized in that the secure switch (16, 24, 28) is 

30 constructed as an Ethernet switch and at least one port (17, 

25, 28) is configured as a layer 3 port for producing a tunnel 
end point. 

4. Mechanism according to claim 3, characterized in that the 
35 IPsec protocol can be applied to produce the tunnel end point. 
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5. Mechanism according to any one of the preceding claims, 
characterized in that the secure switch (40) has at least one 
port" (47, 49, 50) which is constructed as a WLAN end point and 

5 is capable of producing a tunnel end point. 

6. Mechanism according to any one of the preceding claims, 
characterized in that the secure switch is constructionally 
suitable for use in an automation system. 

10 

7. Mechanism according to any one of the preceding claims, 
characterized in that a port (45) capable of producing a tunnel 
end point can be distinguished from other ports (41... 44) of 
the secure switch (40) by a marking. 

15 

8. Mechanism according to claim 7, characterized in that the 
marking can be changed over. 

9. Coupling device, referred to as a secure switch, for 

20 securing data access of a first subscriber or a plurality of 
subscribers, which are arranged in a first subnetwork of an 
automation network, to a second subscriber or a plurality of 
subscribers, which are arranged in a second subnetwork of the 
automation network, wherein the secure switch can be connected 

25 upstream of the first subscriber or subscribers of the first 
subnetwork, and comprises a device (45) , referred to as a 
secure channel converter, for establishing what is known as a 
tunnel to the second subscriber or subscribers of the second 
subnetwork, by which data can be securely transmitted via an 

30 insecure network, wherein the tunnel can be established in a 
substitutional manner for the first subscriber or subscribers 
of the first subnetwork and can be allocated to the subscriber 
or subscribers by using the respective subscriber address. 



